I hate GDPR. We should have more of it.

GDPR is good for you if you're a company, and it's good for you if you're a private person

Posted on January 07, 2023

The EU General Data Protection Regulation, aka GDPR, is the EU-wide legislation about companies and other entities protecting the personal data of individuals. It came into effect in 2018, forcing every single company registered in the EU to start caring about how they handle data like people's names, e-mail addresses, birth dates, and everything more sensitive. It also had an effect way beyond just the EU. And I was really pissed about it:

As somebody running a company, at first, becoming GDPR-compliant was a hassle, a time and money sink. I thought that the only thing we were doing was hiring lawyers to create lengthy privacy policies that nobody will read and developing cookie banners that everybody will hate. And in the end, we'll manage what little personal data that we collect in the same way as before, since we already were conscious about keeping them safe.

But I had to admit even then, and especially in the 5 years since, that GDPR wasn't the regulation we wanted but one that we needed. We had to, for the first time, actually think through in-depth how we manage personal data. There was no documented process to delete user data, so we created one. Writing the privacy policy helped us understand how we use all the online services where we keep data, evaluate whether we need all of them, and make sure the data there is safe both from prying eyes and from getting lost. Finally, while I personally hate the annoyance of "cookie warnings", I don't have a better idea. They're not just about cookies, mind you, but giving (or refusing to give) permission to a variety of data collection and profiling.

GDPR is still a chore. But it's necessary; there's no fair game without rules, and data protection was a partially regulated wild west. It also improved people being aware of data privacy. Some of them actually read the privacy policy, and request their data be removed!

I also understand it being important for me as a private person since I'm only an entrepreneur in one company, but I'm a consumer with many. Am I at a dentist's office, giving out a bunch of my very sensitive healthcare data? Yes, I'd like to see the privacy policy. Yes, even if you have to dig for it in the drawer. Are you a telemarketer calling me? Thanks, but not at this time, I want my data to be removed. We both know you actually have to do it. Are you sending me newsletters without an unsubscribe link? That's illegal, but water under the bridge; a polite e-mail mentioning the magic word "GDPR" will quickly remove me from the list though.

We need more groundbreaking regulations such as GDPR. Yes, we the companies will complain about having to work to become compliant and because we hate rules that aren't ours. Yes, we the people will complain because there's always something to complain about. But ultimately, this is what governments should do: create legislation that protects those who are less capable of asserting their interests, or dare I say, who're weaker.